you do not need a "secret key". You need a strong hashing algorithm (which MD5 is not) and a unique, random salt for every password. The salt doesn't have to be secret. Its sole purpose is to prevent brute force attacks on all passwords at once, because each password must be attacked separately using its individual salt.

The best solution is probably the PHPass library, because it's established and well-tested -- much better than trying to implement your own algorithm, because there are many things you can do wrong. Cryptography isn't trivial.